From 18485f1f316e8542a126fe2c84cea2e41eff2cfe Mon Sep 17 00:00:00 2001
From: quindecim <quindecim@airmail.cc>
Date: Thu, 26 Mar 2020 13:06:10 -0400
Subject: [PATCH] [UPSTREAM] - (see description)

https://github.com/DNSCrypt/dnscrypt-proxy/commit/8896787e666f36f1955a5df0d2004f26a0ab634c
https://github.com/DNSCrypt/dnscrypt-proxy/commit/5049516f5390828121cccad1eed1ae77869f2cfd
https://github.com/DNSCrypt/dnscrypt-proxy/commit/74095d38ede60d2b65f0b8d218640f589de72840
---
 config/dnscrypt-proxy.toml         | 26 +++++++++++++++-----------
 config/example-dnscrypt-proxy.toml | 26 +++++++++++++++-----------
 2 files changed, 30 insertions(+), 22 deletions(-)

diff --git a/config/dnscrypt-proxy.toml b/config/dnscrypt-proxy.toml
index 2dd841f..d8d797c 100644
--- a/config/dnscrypt-proxy.toml
+++ b/config/dnscrypt-proxy.toml
@@ -624,19 +624,16 @@ cache_neg_max_ttl = 600
 
 # Cisco servers currently cannot handle queries larger than 1472 bytes, and don't
 # truncate reponses larger than questions as expected by the DNSCrypt protocol.
+# This prevents large responses from being received over UDP and over relays.
+#
+# The `dnsdist` server software drops client queries larger than 1500 bytes.
+# They are aware of it and are working on a fix.
+#
+# The list below enables workarounds to make non-relayed usage more reliable
+# until the servers are fixed.
 
-# This prevents large responses from being received over UDP, and breaks relaying.
-# A workaround for the first issue will be applied to servers in list below.
-# Relaying cannot be reliable until the servers are fixed.
-# Do not change that list until the bugs are fixed server-side.
+fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security']
 
-fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri']
-
-# Quad9 ignores the query instead of sending a truncated response when the
-# response is larger than the question.
-# Do not change that list until the bugs are fixed server-side.
-
-larger_responses_dropped = ['quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri']
 
 
 
@@ -699,6 +696,13 @@ larger_responses_dropped = ['quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4
  ]
 
 
+# skip resolvers incompatible with anonymization instead of using them directly
+
+skip_incompatible = false
+
+
+
+
 ## Optional, local, static list of additional servers
 ## Mostly useful for testing your own servers.
 
diff --git a/config/example-dnscrypt-proxy.toml b/config/example-dnscrypt-proxy.toml
index 9a829e9..937aa23 100644
--- a/config/example-dnscrypt-proxy.toml
+++ b/config/example-dnscrypt-proxy.toml
@@ -624,19 +624,16 @@ cache_neg_max_ttl = 600
 
 # Cisco servers currently cannot handle queries larger than 1472 bytes, and don't
 # truncate reponses larger than questions as expected by the DNSCrypt protocol.
+# This prevents large responses from being received over UDP and over relays.
+#
+# The `dnsdist` server software drops client queries larger than 1500 bytes.
+# They are aware of it and are working on a fix.
+#
+# The list below enables workarounds to make non-relayed usage more reliable
+# until the servers are fixed.
 
-# This prevents large responses from being received over UDP, and breaks relaying.
-# A workaround for the first issue will be applied to servers in list below.
-# Relaying cannot be reliable until the servers are fixed.
-# Do not change that list until the bugs are fixed server-side.
+fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri', 'cleanbrowsing-adult', 'cleanbrowsing-family-ipv6', 'cleanbrowsing-family', 'cleanbrowsing-security']
 
-fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri']
-
-# Quad9 ignores the query instead of sending a truncated response when the
-# response is larger than the question.
-# Do not change that list until the bugs are fixed server-side.
-
-larger_responses_dropped = ['quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4-filter-pri', 'quad9-dnscrypt-ip4-nofilter-alt', 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-filter-alt', 'quad9-dnscrypt-ip6-filter-pri', 'quad9-dnscrypt-ip6-nofilter-alt', 'quad9-dnscrypt-ip6-nofilter-pri']
 
 
 
@@ -689,6 +686,13 @@ larger_responses_dropped = ['quad9-dnscrypt-ip4-filter-alt', 'quad9-dnscrypt-ip4
 # ]
 
 
+# skip resolvers incompatible with anonymization instead of using them directly
+
+skip_incompatible = false
+
+
+
+
 ## Optional, local, static list of additional servers
 ## Mostly useful for testing your own servers.